Skip to main content

tv   Federal Officials Testify on Student Aid Data Breach  CSPAN  May 4, 2017 6:05am-8:43am EDT

6:05 am
6:06 am
6:07 am
6:08 am
6:09 am
6:10 am
6:11 am
6:12 am
6:13 am
6:14 am
6:15 am
6:16 am
6:17 am
6:18 am
6:19 am
6:20 am
6:21 am
6:22 am
6:23 am
6:24 am
6:25 am
6:26 am
6:27 am
6:28 am
6:29 am
6:30 am
6:31 am
6:32 am
6:33 am
6:34 am
6:35 am
6:36 am
6:37 am
6:38 am
6:39 am
6:40 am
6:41 am
6:42 am
6:43 am
6:44 am
6:45 am
6:46 am
6:47 am
6:48 am
6:49 am
6:50 am
6:51 am
6:52 am
6:53 am
6:54 am
6:55 am
6:56 am
6:57 am
6:58 am
6:59 am
>> the key word is trying to come up with a solution is not sure we have arrived at that. after the october 2016 discovery that the dit could be vulnerable the irs is monitoring for any suspicious activity, >> we engaged with our friends. and asked them, and suspicious activity in january. >> and an incident in february,
7:00 am
>> multilayer defense mechanisms, one of the mechanisms is notification to the address record for the individual. that led us to identify the we had an issue, we were able to find that in fact there is fraud that has taken place and immediately shut down the application. >> it is not discovered by accident. >> it was a notice generated from the taxpayer. the taxpayer came in and notified us. >> taking responsibly for the irs, and the applications face.
7:01 am
please her young people's lives at stake, to fit their unraveling that. >> the gentleman yields back. the chair would like to recognize the gentlelady from new jersey for five minutes. >> good morning to all of you. in september the inspector general reported student loans in the department system to take advantage of students. as reprehensible as the fighting his this is not the first time student loan companies have acted against the best interest of the students they are supposed to be serving. in 2015 the consumer financial protection bureau conducted a public inquiry, signing complaints regarding loan
7:02 am
servicers. more concerning the current administration has withdrawn a series of policy memos in the previous administration that was put in place for protection for student loan borrowers. and student loan borrowers, predatory lending practices. >> in terms of our focus, our focus on the servicing perspective, high quality outcomes of students and borrowers, we put in place a series of actions over the years and going through, and can't really talk about specifics, i would reiterate, focused on high
7:03 am
quality product, generating the best outcomes of student borrowers. >> are you aware of rollback of certain oversight, accountability, initiated in this administration that are overturning the accountabilities designed to protect students and vulnerabilities. >> i personally am not aware of any rollbacks. >> anyone on this panel, any recent actions on the part of for the white house and department of education. that will negatively impact the accountability of who is or is not a good person or entity to work in this space.
7:04 am
is that a no? this january the consumer financial protection bureau filed a lawsuit against the largest services of federal and private loan, according to the lawsuit, billions of dollars by withholding information about income-based repayment programs. instead, pushing borrowers into forbearance, for a cruel of the compound interest. are you familiar with these allegations. >> i'm familiar with those allegations. >> the student loans of 12 million borrowers and 6 million service contractors with the department of education. >> that is right. >> and the lenders interest.
7:05 am
in the lenders interest, for the interest of the consumer. is that right? >> the servicers act. and the lenders interest. and no expectation in the interest. >> in the case of private lenders, a servicer working on behalf of private lenders. >> does it concern you companies publicly claim they have no responsibility to act in the best interest of the students they are supposed to be serving? >> we are in the procurement process. i can't make a comment on that. and they are also in the process. i can't make a comment on that. we can't make decisions about our services. >> i expect -- we ask you again
7:06 am
about someone like navia and even though you can't express what is happening with regard to that company right now. >> we look at responsibility metrics -- >> i don't know by number the executive order or rule back that took place, and looking back at a company's business and reputation. and the best is taken care of the best. i you back. >> mister george recognized for five minutes. >> when we notified that there was a problem. >> it happened the same day.
7:07 am
>> you talked on february 27th this year. >> how many tax pyres are harmed by the breach that takes place? >> a proximally 100,000. >> the law requires you to notify congress when something like this happens. >> i'm not familiar with that. >> the federal information security modernization act. not later than 7 days after the date of the incident you should notify congress. >> yes. >> you are supposed to do it within seven days. is that accurate? >> it sound accurate. >> it doesn't sound accurate, that is the law. what did you tell congress? >> in that 7-day timeframe, that is what i know. >> is that true?
7:08 am
>> i am not sure when they made notification to congress. >> we don't have it until april 6th which is longer than 7 days. you tell congress on april 6th. >> i would have to go back and check. >> that is important, right? >> yes. >> mister koskinen told us before the senate. >> i have to go back and confirm that for you, sir. >> we appreciate that but that is when congress first learned on april 6th that there had been an incident. here is what the statute said. not more than 7 days, are you going to describe this as major? >> 100,000 people, i would say so. >> same here, we wonder why you
7:09 am
waited so long. >> i will find out for you. >> we would like to get that. is this the first time the irs is waiting to tell congress important information? >> i am not aware. i can't answer. >> there was a little incident that happened the last several years where the internal revenue service systematically and for a sustained period of time targeted taxpayers based on their political beliefs. remember that situation? >> i'm family with that. >> you did an investigation into that, a couple investigations. what the irs always forthcoming in a timely fashion with important information in that investigation? >> we found there were some mistakes in materials that should have been turned over. >> a nice way to say it. you might have a career in politics with that answer. let me refresh your memory.
7:10 am
the irs knew there was a gap in lowest learner's email in february of 2014, did nothing to stop the disruption of back updates. >> 421 backup takes. and 24,000 -- do you know what he told congress. june 14, 2014. we have the internal revenue service, the agency has a lot of influence and impact on american people lives with a major breach that the losses you are supposed to sell congress within one week, within 7 days, they wait 38 days. think about what congressman walker talks about. that took place before
7:11 am
february 27th. when mister koskinen testified and said we are putting you on notice that there has been a major breach, 100,000 taxpayers impacted, look what he said in that testimony. on april 6, 2017, mister koskinen testified before the finance committee that we started working with education in october telling them we were very concerned, very concerned that the system could be utilized by criminals. the mister koskinen was on notice that there were potential problems, potential big problems, use the term very concerned clear back in october of last year. and on 27, the irs told you this is real. they don't comply with the law until congress within a week, they wait 38 days to tell us. not supposed to be how it works. >> doesn't sound so. >> the irs is treating taxpayers the way they are not supposed to
7:12 am
and it is why this committee has been focused on trying to clean up the mess and i have been focused on saying mister koskinen has to go. i yells back. >> thank you, mister jordan. miss plaskett recognized for five minutes. >> i think the lovely chairwoman for the opportunity to speak. thank you for being here. everyone on both sides of the aisle are concerned about this issue. most of us have children and have our own student loans or loans, as well as constituents. i did want to touch on something a few minutes ago, talking about lawsuits, this is a lawsuit, and
7:13 am
a lower default rate with loan companies and have propensity to loan to a minority and underserved communities. >> the default rate of students who have loans is significantly lower than other loan companies. >> i will have to confirm that. the lower default rate is better but i have to confirm that. the portfolios are not the same for competition and sometimes there would be natural differences in the default rates. >> the inspector general's
7:14 am
report, the systems were being misused by commercial third parties, something we talked about, things that we are very keen on, and are navigated a difficult system, the first incident into their own finances making decisions. and student loan companies, student loan consolidators. and the special agent in charge of conducting that investigation for the ig, and commercial
7:15 am
interests for loan consolidators. the commercial interest is key to me, and signaling companies, leading thousands of accounts, and using information, in a manner to control those accounts? >> my understanding it is a fee for service, and 1000 clients being charged for those services, it would be a commercial endeavor. >> do you have a list of companies that were doing that? >> we identified some. >> we obtain a list of every student loan company involved in activities.
7:16 am
>> i don't want to commit -- >> a week, two weeks, a month. >> you give us a month it would be appreciated. >> to the outside. >> special agent in charge, account holders taking advantage, sound outrageous and can you explain not just with aggressively pursuing but what about taking advantage of them. >> don't want to speculate, to the extent they are providing services, and can receive correspondence for decisions on behalf and those might benefit them commercially. >> are any of the same companies doing business with the permit of education? >> not that i know of.
7:17 am
>> we have a responsibility to help protect students from the kind of abuse but very pleased we are having this hearing to go through this. and a follow-up hearing within the next student loan companies that are engaged in these activities and hope we have the ig from the department of education about what they found. and what you provided us and i hope we are able to do that. i yield back. >> thank you. i want to say thank you for your willingness to accommodate me on tour the other night. it was not necessary but i appreciate that and you have the right to ask any witness for information and i am sure that will be followed up so thank you
7:18 am
very much. you are recognized for five minutes. >> i apologize if i review some information that has been discussed in this hearing but raise your hand if you are responsible for rep the record reflect, raise your hand if you are responsible for the dart tool? all right. let the record reflect garza and mister corbin raised their hand was october 25, 2016, irs conducted a risk assessment and concluded that the dart tool was needing stronger authentication measures. that correct? and set to take into improve the authentication measures?
7:19 am
>> we started to work -- >> with the department of education. what did you do since october 25, 2016, to strengthen the dart tool. >> increase monitoring on that application. so that we could become alerted should something suspicious happen. >> were those efforts successful. >> in january those efforts that identified suspicious activity and at that time we partner with the department of education to get our two cyberteams together to review suspicious activity and we were informed by the permit of education, it was normal behavior. >> what steps are being taken to strengthen the authentication of dart? >> we have developed and implemented on the irs side, working with the department of education. >> how is encryption going to
7:20 am
help with authentication if you have a user that has stolen potentials? >> the authentication solutions -- and providing application. >> encryption on the back end, help with authentication, and stolen credentials. >> it does not improve authentication. >> a special applicant. >> if you have stolen credentials. are you able to prove that you have the credentials, what do you do to prevent that from happening? >> there are keys that from the irs share with the department of education. as the applicant comes in and
7:21 am
releases data to the department of education, they don't have access, to be encrypt that data, the government of education once it gets to their side, they will be able to decrypt the data. so the applicant -- >> so mister gray, how do you respond? >> what are you doing to strengthen authentication. to authenticate to the end user? >> we are dealing with proactive measures. >> it portends to something in the future, and what you have done. >> and we protect these systems.
7:22 am
>> >> i referenced them in my opening statement. >> how does that help with -- >> this is the balance, this is an application form. >> i get that. it is your responsibility to confirm entering the data is indeed the person who owns that data. >> i recognize that is a tough
7:23 am
job. and the theft of 100,000 students, so the dart tool is lacking, my concern is everyone is doing this. and i want to hear that too. >> the authorities i have are very adequate. in terms of what we are doing, the acceptability of the tool which at this point is a web application where students and prospective borrowers, the level of authentication for that. disbursing the funds, and we are
7:24 am
masking the data so that if an identity thief logs in to the system they will not see the data which would not allow them to exploit this vulnerability. >> i apologize for going over my time. >> without objection i will recognize mister duncan for unanimous consent requests. >> you will not get to me for questions, make unanimous consent in this point. and the financial aid administrator of tennessee college of technology, with problem and email. thank you very much. >> thank you, mister duncan. miss kelly, you are recognized for five minutes. >> in recent years, hacking identity theft and fibers of the
7:25 am
crimes have been on the rise. i have been a victim myself, federal agencies do their part to secure the systems but congress must acknowledge impact its own access on the ability to agencies to protect their it systems. many agencies face serious challenges monitoring outdated legacy it systems. and severe budget cuts, and republican control harvesters. and the chief information officer terrence mulholland testified, quote, the irs budget system is the most critical challenge facing it modernization. what are the impact of budget cuts on the ability of the irs to modernize it systems. we putting taxpayers at greater risk? >> one of the things congress
7:26 am
did last year. $290 million, we have a portion of that funding, to monitor systems closely, we continue to invest the review program, that allows us to create rules, as returns come in, to evaluate returns for potential fraud and identity theft and stop those returns before they are paid out. >> it is on. i want to thank congress for the money we did receive. that is extremely beneficial and puts youth technology in place protecting our systems at a higher level. then they have done in the past. in this incident itself we were
7:27 am
able to address the situation a lot quicker than we would have been able to in the past because of new monitoring capability in the data analytics capabilities that are implemented using those resources. >> would you say more is needed? >> we would be thankful for additional resources or continued support in this area. >> it is not just it systems affected by resorts -- might increase progress on modernization and fibers of the security measures and would require significant additional resources in it areas. do you agree with that assessment? >> i would agree with the assessment of our needs. >> i would agree as well.
7:28 am
>> yet again, congress failed to ensure agencies have resources to carry out their missions, under irs restructure and reform act of 1998 congress gained irs the authority a limited number of individuals, for critical and technical positions at level greater than general schedule rates. the critical pay authority was intended to help the agency attract highly qualified individuals with advanced technical expertise who might otherwise be available for government service at normal federal levels. the irs uses its authority, from 1998 to 2013. and to make federal government jobs more appealing to highly qualified technical individuals interested in public service but earning a much higher's chess salary. >> the streamlined critical pay
7:29 am
that we had was beneficial for the irs. because of that authority we were able to bring on board high-level architects, engineers and cybersecurity experts. over the last several years they helped us in sure that we were doing what was needed to secure our perimeter and make sure our systems are running much better. an important component of this is the streamlined part of the critical pay. it allows us to offer a job when we found somebody after the announcement was made and identified somebody much quicker than the normal process would have been. what we found was without the streamlined components when we got back to the individual who sees who are interested, the time had elapsed so long, they were not able or no longer available to come to work for us. it is a criminal component. >> it expired in 2013, not to be reauthorized.
7:30 am
american taxpayers lose when congress ignores its responsibility. congress can and should swiftly pass streamlined critical pay reauthorization and provide adequate resource levels for the type of security at all agencies. thank you, madam chair. >> thank you, ms. kelly. mister runcie recognized for five minutes. >> i look forward to reauthorization if we can get the reforms required as of our last couple hearings for the use of 168 slots.
7:31 am
>> the kickoff of the affordable care act web site. and as you though, in that web site if somebody liking at their -- looking at their information at the top of the screen simply went up there and changed the state, they might look at somebody's personally identifiable identification. that was discovered right there in the http line, right? do you remember that? >> that was on the c america s side. >> right. >> and so don't have any details or specifics on that. >> okay, just for historical sake, i actually did it. you could -- and somebody did it themselves. you could change the state, and you could end up with somebody
7:32 am
else's identifiable information on your screen. now, they would have said there was no breach, as mr. gray is sort of saying, because there was no proof anyone took that information and used it. but let me ask another way. if you put a team of white knight hack ors on to this vulnerability, could you have harvested information, in your estimation? >> i think the evidence is that after the fact, yes, we -- there were people that were accessing that application for bad reasons. >> okay. so, mr. gray, i want to get you on the record, under oath, with an accountable statement. if there's evidence that people did nefariously gain some information, whether they used it or not, and that a team of white knight hackers or bad people could have harvested information, don't you have to admit that this is by definition a data breach? not just a hypothetical
7:33 am
vulnerable, but a vulnerability that was recognized that caused the shutdown of this tool? >> thank you for the question and the request for clarification. i would say that when i'm speaking about a data breach, i'm speaking about the department of education systems, and through our analysis there was no department data that was compromised or viewed through this. this was a case of unlawfully obtained information that was used to go through our system to pull information from the drt. >> okay. but in this case we're talking about you together represent, like, an automobile. and you're saying that your right-hand wheel didn't come off, but the left-hand wheel did or could have. ultimately, the construction of the entire product was brought to a halt as a result of a failure. right? >> yes, sir. >> okay. and both of you, i just want to make sure because i heard
7:34 am
ms. garza say it, but both of you admit that under the reforms as cios you have budget authority and the authority necessary to shut down or to make what changes are needed to control the security and accuracy of your work, is that right? >> yes, sir. >> okay. so now my question to you in the short time remaining is although this is about education and it's about the tremendous impact on students who will have a burdensome time applying, if we are to do the next level of reforms that this committee would be required to, if we've given each of you authority and one of you says i've got a breach and the other says i don't, how do we resolve within the hierarchy of the executive office of the president, so to speak, how do we resolve making sure that the failure of the whole is, in fact, controlled by somebody?
7:35 am
in other words, i'm looking at the two of you. you gave slightly different testimony. i think you've come together on testimony. but i want to know how in the future we do two things; one, make sure that somebody above you, sort of a super-cia, can make sure that everyone, minute's looking at the entire vehicle and not just a left tire and a right hire. and then secondly, where were those white knights in this process? whenwhere were the people, third parties, who scrubbed this data and system trying to find those vulnerables? because somebody found it, and it wasn't either of your teams. i'll take an answer from either of you in the time i'm allowed. >> i don't know where those white knights were, sir. i do know that there were other entities within the government, usds specifically, that was assisting with as well. i don't know where they were. >> okay. so as will said earlier, before the fact you don't know, after
7:36 am
the fact, of course, you could recreate it. ms. garza, the two questions to you. you're very senior in this position, you've had a lot of experience. one, how do we bring together organizations like you that have become interdependent to make sure there's oversight of the swire combined authority -- entire combined authority, and two, how do we make sure there are white knights proactively in the future to try to find these things and maybe concurrently and constantly try to find them? >> congressman, we actually do have processes in place where we do penetration testing, where we have individuals that come in and it's our applications to insure -- test our applications to insure that they are not subject to white hackers coming in and getting away with the data. >> although white hackers i'm okay with. >> black hats -- [laughter] >> bad guys. >> so we do have that process in place, and we do use it. i don't recall right now if that
7:37 am
process was utilized on this application. it clearly should have, and perhaps we would have been able to avoid this. as far as your other question, as the irs continues to work with other agencies to provide data, it becomes more and more important that we actually address the concern that you have raised. i don't have an answer for you right now, but it's something that we need to be very thoughtful about, because i think this is going to start happening more often. >> thank you. thank you, madam chair. >> the gentleman's time has expired m. the prerogative of the chair, i think it would be helpful to this committee and to congress as a whole to get some sense of what kind of priority you put on testing your systems. because it's pretty obvious that something like this should have been tested and should have been aggressively tested anytime you're sharing data with another agency. so i hope the committee will
7:38 am
follow up on that. mr. raskin, you're recognized for five minutes. >> mr. runcie -- why would they do that? what's the sam? can -- what's the scam? can you explan how -- explain how that works for them? >> they're commercial and fee for service agencies -- >> these are legitimate businesses then, these are not internet scammers? >> they're not internet scammers, but the nature of the interaction between, you know, those entities and the -- [inaudible] i can't cardiackize --
7:39 am
characterize that. it seems and appeared that in cases where they want to have a level of control to create a transalabama or to -- transaction or to continue through the process, they change e-mail addresses and potentially mailing addresses and so forth to facilitate the process that they're taking the students and borrowers through. >> how do they profit from it? they take over the students' account? >> they may charge, and i'm just going to make up a number. let's say they charge $100 per consolidation or more. so there's an agreement that they will consolidate the loans and create a lowerpayment amount or whatever the agreement is, and they would be paid for that. >> so did this actually take place? i mean, in one example the i.g. report in 2013 a company charged borrowers a monthly fee, i think it was $60, with the promise of enrolling them in the public
7:40 am
service loan forgiveness program eventually which they weren't qualified for. does that actually happen with people in. >> my understanding is that there are these companies that provide these services, and a part of that process sometimes is they put people into forbarnes with the understanding -- forbearance with the understanding they're going to go into consolidation. those are third party entities involved in a transaction that doesn't include the department, you know, except for the fact that they're using the e-mail addresses and the resources that we have to fulfill transactions where they make money. >> so just to get you straight there, they're using your web site, essentially, as the framework to access their victims, then they prey on the people. but as far as you know, they might still be in this scam relationship with the students. >> yeah, we've looked at ip addresses and some of the activity x in some cases you will actually see loan consolidations.
7:41 am
whether it's 10% or 100% of their clients, we don't know. what we've stressed is use your education to make sure that people are aware that they can get these services done for free by leveraging resource that is the department provides. >> well, i get complaints on a daily basis pretty much from my constituents who feel like the whole system's a scam. but you're talking about a scam on top of a scam, in a way with. people are in serious debt from college, and some of these kind of low-riding companies are able to access them, charge them more money to offer them either real or completely ill rusely services -- illusory services, right? >> that's right. >> who is the ombudsman or champion of america's students and college graduates who's looking out for the scams in the irs, the department of education, every level of government? is there anybody? >> i think we play a role, the
7:42 am
department plays a role. for instance, i mentioned user education. the i.g. has noticed that this is an issue, and we're doing some things with our systems to make sure that we give them an additional tool or lever that they can use to prosecute be bad entities. so we play a role in that -- >> how many prosecutions have there been since this was revealed? >> i don't have that information. >> have there been anywhere prosecutions? >> i -- we don't prosecute. it would have to be through the i.g. or some other -- >> and let me just say, i know everybody up there has a tough job, but the overall institutional sense that i get is one of basic passivity and react at this time to events -- reacttivity to events rather than getting on top of it. i think there's more student debt in america than credit card debt now. it's more than a trillion dollars. and, obviously, there's a lot of money being made there including
7:43 am
by people who are going out and preying on people who are already laboring under the burden of these loans. do we need to create an ombudsperson, somebody who's just a champion of the students and the graduates to make sure that they're not getting ripped off at every step of the process? >> yeah. i mean, we have am ombudsman, but it's not -- it's sort of a pervasive, all-inclusive person that sort of challenges resources across government, across i. g.s, so that is potentially manager that could be useful. something that could be useful. >> where is that ombudsman located? >> fha, they deal with customer service issues, they could be school-relateed issues. >> did that person ever raise any of these issues with you
7:44 am
about the scams being perpetrated on students through the web site? >> no. those scams are done by third party entities that are outside of our scope. and so -- >> basically, it was nobody's responsibility to try to identify that threat. is that right? i mean, that's not a gash cha question -- >> no. no. >> i'm just trying to prevent this from happening again. there were cases of this going back four or five years now. >> yeah. again, the commercial entities that are marketing to students to provide services to those students and the students agree to, you know, obtain those services, and the questionable nature and value of those services is not something that we police. what we've been trying to do is provide user education and let people know that, you know, they don't need to use these resources. and we've, you know, working with partner organizations and
7:45 am
so forth, but we don't have any control over those entities. >> thank you very much for your answers, and i yield back, madam chair. >> thank you, mr. raskin. mr. hice, you're recognized for five minutes. >> thank you, madam chair. >> no, congressman, i can bring that or go back and get that information for you. >> please do. but would it surprise you that in 2013 alone it was over $5 billion? does that come as a surprise to you? >> it does not come as a surprise, congressman. >> okay. so it's no surprise that over $5 billion, let's just say that's the average a year, $5 billion a year plus or minus in fraudulent returns. and now, as has been clearly established, ballpark 100,000 taxpayers were put at risk as
7:46 am
thieves breached the drt, do you have any idea how many fraudulent returns resulted from those 100,000 taxpayers? >> so, congressman, what i know is that of the -- we have received about 111,000 returns filed under those social security numbers. of those returns, 80% of them were either stopped by our filters prior to the refunds being paid, or they were the actual, legitimate taxpayer. >> well, that's good information, but that was not my question. i want to know how many fraudulent tax returns came from those 100,000. >> yes, sir. we have corn firmed about -- confirmed about 29,000 as identify theft. >> how many of those were fraudulent. commissioner koskinen said about 8,000. >> yes, congressman. there are 8,000 returns that were not stopped by our facilitiers that we have not -- filters that we have not been able to -- >> that were fraudulent.
7:47 am
>> we have not been able to determine if they were fraudulent or the legitimate taxpayer. >> that was my question. do you have any idea how much money was lost due to those $8,000 fraudulent returns? >> i believe that is about $32 million, sir. >> it is about $30 million. does the irs reimburse the fraudulent tax returns from those who are victims? >> so when a true taxpayer comes in and files their return, they do get their full refund that they're entitled to. >> okay. and who pays for that? >> that comes out of the treasury, sir. >> so the taxpayers pay for i. >> yes, sir. >> so we had $32 million just out of this 8,000 fraudulent returns. is that $30 million, does it include the reimbursement from the victims? >> no, sir, it does not. >> so we're talking $60-$65 million many this one incident. we're talking if we have $5
7:48 am
billion a year in fraudulent returns, we're probably talking $10 billion that it costs the taxpayers every year after the victims are paid back. is that -- >> is of the $32, congressman, again we have not confirmed whether that is a framing lent return or the true -- >> okay. i'm just going by what commissioner koskinen said, and i would think that he would be accurate in that information. ms. garza, i'm still scratching my head over your comments earlier that as far as you're concerned, you didn't know of any breach whatsoever, and yet it's pretty well confirmed there was a breach here, and you even came bang around and admitted -- came back around and admitted that a little while ago. >> it depends on the timing, sir. in september -- >> it depends whether or not anyone broke into the system. i tell you with, i just struggle. it appears at the end of the day you're either in denial of what
7:49 am
happened or you're incompetent or just untruthful in what's happening here. and i go back with what's been shared. there's -- the abuse that's been inflicted on american citizens by the irs is inexcuse be bl, and it's time that there's -- inexcusable, and it's time that there's some accountability and change that takes place at the irs. this is just, it's is so bothersome, it's indescribable. mr. gray, let me come to you. it's my understanding that the department may have the data retrieval tool for the purposes of income repayment plans back up in june, is that correct? >> that is my understanding, sir. >> okay. that being said, if it's -- it's taken more or less three months to fix it, correct? >> yes, sir. >> okay. if it has taken three months, why in the world was this not addressed last fall? >> unfortunately, i can't answer
7:50 am
that question because i'm not involved -- >> who can answer that question? >> mr. runcie. >> it wasn't addressed, i think it's what we said a little bit before which was we were making a decision at the time based upon the fact there wasn't any criminal activity. what the commissioner said is we would continue to monitor the situation, and once this was confirmed criminal activity, we would take the system down. so that was the focus of it. and march 3rd when there was, when we were contacted, the system was taken down. >> the commissioner said that identify thieves used it to put forth false tax returns and made it clear that there was criminal activity and that because of such the system was going to have to be shut down. it looks like we're talking out of both sides of our mouth.
7:51 am
madam chair, i thank you for indulging me extra time. i yield back. >> thank you very much, mr. hice. mr. clay, you are recognized for five minutes. >> thank you, madam chair. and e find it deeply concerning that the trump administration has started rolling back the protections that help insure shah shah student -- that students are not taken advantage of by predatory loan companies. mr. runcie, secretary of education devos recently rolled back a critical protection put in place during the obama administration. this protection prohibited loan servicers from charging up to 16% in interest on overdue student loans if borrowers entered a loan rehabilitation program within 60 days of default. mr. runcie, why did she rescind
7:52 am
that protective order? >> i'm not awar -- there was a policy memo that was rescinded. is that what you're referring to, representative clay in. >> yes. >> so we, again, we're in the process of going new a competition for servicers, and the focus of that competition is to make sure that we have the best contract in place that's focused on high quality outcomes for students and borrowers. so that's what we're focused on. there hasn't been anything communicated from the secretary that would change our ability to go forward and to make sure that there's a vehicle in place to make sure that we optimize outcomes for -- >> and doesn't that action place the football interest of the -- the financial interest of the loan companies over the interest of our students? >> that's not what we're doing, and that's not what's been communicated to --
7:53 am
>> well, does it stall to loan companies that they can return to the predatory practices they engaged in before that take advantage of students? i mean, look, you and i know that people struggle to pay these student loans. so they came up with a way to give them some kind of relief, and now we're going to throw that out? >> look, i see how you're focused on making sure that we have the best circumstances for borrowers and students. and, you know, if you look at income repayment plans which is a tool that was put in place to make it easier for students to manage their obligations and their debt, that has risen substantially. our servicers in the department focused on making sure people get into plans that allow them to maintain and manage their debt. >> okay, let's talk about those plans.
7:54 am
just last month the secretary withdrew another critical consumer protection afforded to student borrowers. under the secretary's order, contracts for debt collection will no longer be based on a loan company's history of helping borrowers, but can again be based on a company's ability to collect debt. can you explain why this change was made? >> actually, the evaluation -- and, again, we're in procurement mode, so there are certain things i can't talk about -- but the actual evaluation does include looking at past performance and responsibility as well as operational performance. so it is, the process is more than just looking at the ability to recover. >> yeah, but doesn't that then go pack to allowing these -- go back to allowing these companies to prey on borrowers, and, i mean, make that the standard
7:55 am
operating procedure that, at all cause, collect the debt? >> i can't speculate on that, sir. >> and, look, there have been troubling reports recently that the department is reversing previous determinations that student loan borrowers qualified for a loan forgiveness program to encourage public service. borrowers may have relied for years on these determinations to plan their educations, their careers and their lives. and this program started in 2007. under this program borrowers can have the remainder of their federal student loans forgiven after making ten years worth of payments be they serve in -- if they serve in full-time public service jobs. is that what's going on? >> i'm aware of the issue, and my understanding is that there is potentially some lit base around that. litigation around that.
7:56 am
but the public service loan to have giveness is a vehicle that's out there. if you make payments for ten years on time, you could be forgiven the remainder of that. that program's in place, and we operationalize it. >> and are you intending on changing it? >> i'm not aware that there's any intention to change it. you know, that's an overall departmental perspective. >> it all comes down to let's scam these students, let's scam these borrowers. and let's take care of the servicers. and i think you should be ashamed of yourselves. >> well, what i can say is that -- and i can say this personally -- is that there is a dead, dedicated staff that's been there for quite some time, and our focus is not to facilitate any situation that compromises student ands borrowers. we're committed to making sure they have the resources to be successful.
7:57 am
we know it's difficult, it's a huge portfolio, but my intention is the same as your intention, which is to make sure that we don't have a structure that compromises -- >> god help the borrowers. >> the gentleman's time has expired. the ranking member's recognized for a unanimous consent request. >> thank you very much, madam chair. i want to submit for the record a letter to the honorable kathleen teague just requesting certain documents with regard to this hearing. >> without objection. the chair will recognize herself for five minutes. i have to say that i agree with my colleague from georgia who was here a few minutes ago that this situation of none of you all or people in your agencies being willing to take responsibility for what's
7:58 am
happened. either you're in denial or incompetent. i think the american people watching this are feeling the same way. i'm troubled by my colleagues wanting to distract from the incompetence of the fsa and the irs on display here today. i want us to go after any bad actors outside the system, but our number one priority is to protect the american people. and everybody who works in country is affected by the irs. so, yes, we want to protect students from any be unsavory characters, but all americans are affected by the irs if they file their taxes, and most of them do. thank goodness we have a system where most people voluntarily do what they're supposed to do. so we, the problem we have with our government agencies is
7:59 am
there's no accountability for any of you individually, and that is a shame, a real shame on this country. that you all can ignore the continued incompetence and not be held responsible. i do have some questions. the department has taken some steps, mr. gray and mr. runcie, to mitigate the burdens on students' families and institutions caused by the drt suspension. but i'm concerned about the potential fraud, the flexibilities you've put in place may cause. how is the department protecting against fraudulent income reporting or insuring that no new doorways to fraud are opened in this process? and i'd like specifics, please. >> well, in terms of -- and thank you, chairman foxx, chairwoman fofntle in terms of
8:00 am
specifics, you know, the verification, the back-end verification is something that we've used along with, you know, the schools. so we do regression analysis, and we come up with a formula that indicates a level of risk. and so what we've done in terms of giving flexibility is we would reduce the lowest risk element based upon our regression analysis so that even if welessingenned the -- if we lessened the verification burden, it would be on a risk-mitigated basis. so we would only eliminate the lowest risk applicants potentially. so the other part is that we're going to do this for a limited period of time, right? because we're going to get the tool back up october 1st, and so for all the fafsa cycles going forward, that won't be an issue. so it's somewhat of a temporary
8:01 am
way to address to balance the burden to the schools against the risk to taxpayers. >> mr. gray, do you have anything to add to that? >> yes, ma'am. i would say there are also technical controls that we are looking at putting in place, and i would be happy to give a more in-depth details about those controls specifically, but i would not want to reveal sense tv information right here. >> i understand. so, mr. runcie, you touched on that you're trying to get the system back up for the 2018 fafsa filing period. recognizing the balance between security and access, can you make the commitment to insure that there's no opportunity for the drt to be misused again when it is once again operational? and i want to ask each one of you, answer that question yes or no mr. runcie? >> yes, because -- >> that's all i need to know. >> okay. >> mr. gray? >> yes, ma'am. >> ms. garza. >> i'm insure. >> you're not sure.
8:02 am
mr. corbin. >> i'm also unsure. >> mr. cammas. >> we will be watching closely. >> i think you've given the american people great confidence today from the irs when you tell us you cannot secure the systems. mr. runcie, i want to come back to you. i've been hearing troubling reports regarding the collection of defaulted student loans, and we've been hearing a lot about that this morning. currently, struggling borrowers in default are without the critical services needed to rehabilitate hair loans or other -- their loans or other benefits. this is the responsibility of the department. can i get a commitment from you and the department to provide my staff with critical information needed to assess the current loan default situation? >> absolutely. >> and when? >> two weeks.
8:03 am
>> and when? can we get, when will we know what the critical information is? when you get that to us? >> we can define what the critical information is within two weeks, and we could get you the information within a month, so we'll have that to you within a month. >> thank you for telling us that. we will hold you to it. >> thank you. >> mr. connolly, you're recognized for five minutes. >> i thank the chair. i just want to say the breach at department of education is something we've been warning about in this committee for quite only time. department of education holds data on 139 million individuals, and i would echo what our colleague from ohio, mr. jordan, said. the department of education may very well be in breach of law. and we're going to explore that.
8:04 am
however, i know -- what happened? to mr. scott? i was just going to yield to mr. scott -- >> he had to go. >> he had to go. all right, sorry. then i'll pursue. mr. gray, are you familiar with fisma? >> yes, sir, i am. >> and what does that require you to do at the department of education in. >> to protect our information assets for the department. >> well, that's not all it does. doesn't it have a reporting requirement with respect to the legislative branch? >> yes, sir, it does. >> and what is that reporting requirement? >> within seven days of an incident -- >> and did the department of education comply with that seven-day reporting requirement? >> sir, through our analysis of nearly 89,000 social security numbers, we did not enough that department -- identify that department data was compromised in this situation.
8:05 am
unlawfully obtained information was used to go through our system to access information through the drt, which is why we, we did report to u.s. cert, and when it was identified that the compromise was through the drt, we -- that is when we did not report this as a major incident, because our information, meaning the information that the department holds, was not compromised. >> and is that still your position? >> yes, sir. >> so from your point of view, fisma has not been triggered. >> a major breach of department information was not compromised. >> is that the language of the law? that a major breach has to be compromiseed? that is to say, a major breach has to lead to the compromise of data? >> no, sir. the, when the irs reported this and we were notify bed on march
8:06 am
3rd -- notified on march 3rd, it was identified as an irs system. it was not a department of education system. we did thorough analysis of all of our system through fafsa, and nothing indicated, to my knowledge, that any of our information was compromised. >> mr. camus, is that your view. >> >> we have yet to determine the timeliness of the reporting of the incident, sir. >> no, that's not my question. my question is, do you concur with mr. gray that there was no breach of data? compromise of data. >> we, we would view it as once somebody was able to see somebody else's data, that that, in fact, has been a breach. >> so i would too. and, therefore, i would argue fisma is triggered. would you agree? >> yes, sir. [laughter] >> well, mr. gray, sure does sound like you're splitting hairs.
8:07 am
and you're coming up with a criterion that was not envisioned in the law itself, nor is it reflected in the language of the law itself. i mean, we don't have traffic laws that allow you to decide, well, i didn't hurt anyone. yeah, i was speeding, but i didn't hurt anyone so, therefore, i shouldn't get a ticket. i mean, the law is there to make sure the legislative branch is informed in a timely fashion when this kind of activity occurs. and the reason isn't so that we're keeping score, it is to make sure that we're doing what we can on our part to protect sensitive data of american citizens. and it seems to me that it was incumbent upon the department the of education to inform us in a timely fashion. in fact, i would even argue if i were managing the department of education, the better part of wisdom would dictate that i inform them even if i didn't believe fisma was triggered. but the fact that months could
8:08 am
go by and, as mr. camus just said, a breach is a breach. once it's breached, you have to assume that data's compromised. and i just find your explanation very credible and i, frankly, think it's a disservice to the people whose data you possess. and it's an end-around with respect to the legislative branch. and i think it's in violation of law. i know we're going to pursue that more. but i don't think, i don't think that's something that puts the department of education in any kind of good light. my time is up. and i'm sorry i missed mr. scot. i was going to testify to him. i thought i wassing with asked to. thank you, madam chairman. >> thank you, mr. connolly, for hoping in on the issue -- honing in on the issue of the day and looking for what remedies we might have under the law. mr. meadows, you're recognized. >> thank you, madam chairman. we're going to foul, mr. gray, right now.
8:09 am
because i can tell you that mr. connolly is spot on. and this is not your first rode owe, you know? we have -- rodeo. we have had these other issues before with regards to previous. and is it your sworn testimony today that this did not actually require noteification of congress? >> no, sir. my understanding is that the irs had reported the incident and that it was a breach. but the department of education, my understanding, when i was notified on march 3rd that the notification had already happened. i have learned in this hearing that it did not happen. >> well, how can the american people actually people who share private information with you who expect it be protected have confidence when you're here today and you don't even know the full story that you're with finding out in a hearing when you knew that we were going to be looking at this?
8:10 am
how can you find a hacker who truly wants to come in and do harm and you can't even be prepared for sworn testimony today on questions that i presume that you knew we were going to ask? >> i understand, sir. the -- >> where's the outrage? where is the outrage, mr. gray? are you not outraged? >> i absolutely am. our -- >> why didn't you notify congress? >> my understanding was this was not a department of finish. >> you realize that was not -- did you have your counsel that said you don't have to notify us? who did you check with who said you don't need to notify congress? >> we went through our incident response process who did an assessment finish. >> so why did you refer something to an outside agency before you notified your own
8:11 am
i.g. p within your department? >> our i.g. was notified -- >> well, according to my documents you actually notified u.s. cert first. according to your testimony. why would you do that and wait to get the i.g. involved? >> because when we notify u.s. cert, it's to let them know we were investigating something had occurred. at that time, we weren't sure what happened. >> okay, so you notify the i.g.. it was important enough to notify the i.g., but it was not important to notify congress. >> hindsight, sir, yes, it was important enough to notify congress. >> well, at what point are we going to get this right? because we continue to have breaches. mr. connolly and i have had a number of hearings where we've raised this as a concern, and yet what happens is, is we're all coming in after the fact to look at this. to you not see a problem with that? >> i do see a problem with that.
8:12 am
>> well, when are we going to get it fixed? >> sir, we receive on average more than 1.5 million intrusion attempts every single month at the department. and what my team does is we assess to determine whether or not something had happened, nothing happened, and lo logistically, i mean, i know in this case it's easy to say, okay, this should have been reported. i understand that. >> so you're saying it's a matter of logistics on why you didn't report it. because that's different than what you said earlier. earlier you said you didn't think you had to report it. >> based on the analysis that my team did, we -- our information, our information, information that i am, that -- >> so how confident are you that there was only 89,000 people that were affected? >> based on the log analysis that was done at the department? very confident. >> all right, a ten? >> yes, sir. >> so if we find out there's more than that, are you willing to resign? >> if it's, if i don't know the information, no, sir. i mean --
8:13 am
>> well, you said you're confident at a level of ten, so i guess i would stake my reputation on that if you're confident at a ten. so if there's more than that, because the irs knows that sometimes we find out there's actually more people affected than was originally thought. so if you're confident at a ten, are you willing to stake your reputation and your job on it? >> so, sir, the challenge here is that -- >> sir, i am representing people back home in north carolina, as every member here is. and you know what? they fail toll realize that you -- fail to realize that you can't protect sensitive information that they give you, and they don't understand that. i don't understand it. at what point are we going to have a confidence when people share their information with the government that it is not subject to being shared with another party? isn't that what your job's all about as cio? >> yes, sir. >> all right. the next time are you going to inform congress when there may
8:14 am
be a doubt? will you inform us within the seven days? >> absolutely. >> all right. ms. garza, last question to you. why didn't you inform us? >> congressman, we briefed the staff shortly after we brought down -- >> you didn't brief our staff. why didn't you inform be congress? that's the question of the day. because according to your dig da, it's 100,000, so certainly even meet that threshold, but why wouldn't you inform us? >> so, congressman, we did inform the congress that this was a data breach. the reason why it took as long as it did is because we were going through, analyzing the information. the initial population was much smaller than 100,000 that we thought were impacted. we also needed to coordinate with the department of education to determine whether this -- >> but didn't you find it just based on dumb luck? it was actually just one of your
8:15 am
irs employees that actually got a transcript request and they said, hey, something doesn't smell right here? >> congressman, we have multiple layers of -- >> that's not the question. wasn't it dumb luck that you happened to find this? >> no. finish. >> so it wasn't an i irs that happened to get a transcript? be careful, you're under sworn testimony here. >> it was an irs employee. he received a notification as part of one of our defense mechanisms that his account had been accessed. >> is so it was an irs employee who happened to have his stuff that was notified, and we said, hold on, we've got a problem here? do you not see that that is almost laughable? >> one of our mechanisms to determine whether something has gone wrong is a notification to the taxpayer. our systems automatically send out a -- >> so you purposely embed irs employees in this so they might
8:16 am
get a personal notification so they can highlight this? come on. i'll yield back. >> [inaudible] >> thank you, madam chair. thank the panel. ten years ago i was proud to lead the effort here in the house, and we teamed up with senator kenny on the senate side to create the public service loan forgiveness program, and we paid close attention to that over the last ten years working with the u.s. department of education along the way to create online resources to help borrowers understand whether they're going to qualify for this program which includes reduced monthly payments as well as ultimate forgiveness of their outstanding principal if they commit ten years to public service. that includes the need to be assured that the employment you have, the particular employer that you're working for qualifies under that public
8:17 am
service category and that you can count the time spent with that employer towards your ten years and, ultimately, earn the forgiveness. congressman clay alluded a moment ago to the fact that there's some troubling position that the u.s. the president of education -- the u.s. department of education has been taking over the last 18 months with respect to certain categories of employers. they're now telling borrowers who relied on an an assurance that that employer would qualify being told now that it won't, and there is some litigation around that, mr. runcie, as you indicated. we need to get to the bottom of that, because there are borrowers that have relied on assurances that have come from the department, and they need to be able to count on that, otherwise the rugging is being pulled out from under them. i know that some of us here have been trying to get a briefing from the department over the last few weeks.
8:18 am
that has not yet happened. could you commit to us today that the department would be willing to brief us on this issue and what's happening with that? >> so i, it's not just fsa. i mean, we obviously operationalize it and put the resources out there so people can avail themselves of public service loan forgiveness, but i think that would include other entities -- >> well, that's fine. can you help us arrange to get that briefing done and get it done quickly so we know what's happening with this, and then we can take appropriate steps in our oversight capacity in. >> absolutely. it's an important issue, and we're focused on, so i will commit to working with my colleagues -- >> let me stay focused on the public service loan forgiveness piece, because when you talk about the universe of borrowers that are impacted by the breach that we're talking about today using this data retrieval tool, you have the part of that
8:19 am
universe that are folks that are, you know, involved with standard repayment, and then you have those who are in a loan-driven repayment situation based on one program or the other. that includes public service loan forgiveness. and they have to be handled differently, because they're impacted differently. and you've indicated that with respect to the standard repayment world that your going to -- you're going to try to get this tool back in service by beginning of the next year, so october is the goal. but with respect to lope-driven repayment -- loan-driven repayment, you're trying to get that back up by may. so can you tell us how confident you are that -- i mean, it is may now. how confident are you that that is going to be available to folks that are benefiting from loan-driven repayment arrangements? is that going to happen? >> yeah. we're very confident. you know, as the irs mentioned,
8:20 am
they've completed the end description part, and -- encryption part, and we have a timeline that gets us to a place where it's up and running by the end of this month. so we know it's only another few weeks, but we can comet commit to that. >> i appreciate that. could you also let me know, i know one of the remedies are sort of stopgap remedies when someone is in this situation, perhaps not being able to access a tool that allows them to do things in a timely fashion, forbearance for two months, three months, what have you. that can work okay for the standard repayment folks because there's really no downside to losing a couple of months in terms of your repayment, but if time is of the essence in the sense that you're accruing time towards this ten-year repayment period, then forbearance isn't necessarily going to be a great solution for people that are in the loan-driven repayment category. is that something that the
8:21 am
department has considered, and is this a way to provide a remedy there that doesn't complicate the lives of these folks that are in a particular program like that? >> yeah, i'll make sure that we are -- i know we're considering a lot of different issues around it, and i believe that's one. but we'll certainly make sure that we're focused on that, because i do understand the issue around that. >> okay. i yield back, thank you. >> wanted to add one thing, and we're pretty firm on the end of may unless be potentially some requirements change, but i think we're committed to the end of may. >> for -- >> for the tool being back up for the income driven repayment plan. >> thank you, mr. sarbanes, thank you, mr. runcie. mr. mitchell, you're recognized. >> thank you, madam chair. i join your dismay that rather than discuss the data breach, the impact it has on the ability of students to get assistance,
8:22 am
how we deal with the data breach going forward that some wish to talk about issues that we're now going to investigate as well which is potential bad actors. to obfuscate what the current issue is which is the irs and the department of ed's inability to have this cool work and not have it breached, but rather, talk about other issues. we only have so much time here. we only have so many things we can do simultaneously. let's talk about the issue we put on the table. so i am displayed, and i guess i shouldn't be surprised. mr. connolly, you've -- i'm sorry, mr. gray, you seen the wizard of oz, right? >> yes, sir. >> you see the part where they talk with thescarecrow and they ask him which way the yellow brick road is, you remember that part? >> yes, sir. >> tumor that part? >> yes, sir. >> my opinion, frankly, sir, that's exactly what you're doing
8:23 am
when you talk about the data breach happened at the irs. you know, when you've got something as sense ty as personal information from the number of students that you have, the moment in time that you think your data's been breached, you have a legal -- moral, if not legal responsibility to notify congress. that's a lot of information. and it wasn't done. and it's not the first time it wasn't done. and i don't understand that. and i don't know how it is we get across to the department that it's actually responsibility by law, if not morally. what's it take to get someone to understand that over there? can you explain that to me? >> i have committed that i will to that, sir. >> i ran a private school for six and a halfyears as a ceo. ms. garza, the cio reported today me for a reason. -- to me for the reason. do you know the deal we had if we got hacked?
8:24 am
do you know what deal was? do you want to guess what the deal waswe got hacked? >> you held the cio accountable. >> the cio's resignation was on my desk. that's how sensitive that information was. and i am serious. i'm absolutely serious. i'll give you his phone number, you can call him. his resignation was on my desk. his cell phone got buzzed anytime there were certain sets of activities, whatever hour of the night. now, who in your staff gets called in the middle of the night or gets a buzz if that data goes out of whack? >> the cio is the first one who gets a call, and depending on type of breach, she will call me. >> time limited. i've heard or repeatedly budget concerns. that comes from the private sector, and i'm absolutely aa maized. the first time a problem comed up, everyone wants to whip out the taxpayers' czechbook because, hey, just spend more
8:25 am
money. from the world i come from, we first identify the problem, not just throw money at it. so it's a question from me, ms. garza. and, by the way, we all know who had their data hacked. false tax returns, i had it happen to me. my youngest son is dealing with it right now, this year. how much money do you need to tell this group, to tell congress that you can secure the system? exactly how much do you need in your budget that you'll put your letter of resignation there if you get hacked? how much money? >> i don't know how much money it would take. >> well, you ask for more money all the time. >> we ask for additional resources to continue to fortify -- >> every year. every year. >> that's correct. >> i asked you a question. how much money do you these in your budget -- need in your budget for stated protection that you'll put that budget request in and smudgesly tender -- simultaneously tender your resignation?
8:26 am
>> i don't have that dollar amount in my mind. criminal enterprises are constantly changing --? >> oh, i understand that. >> and their tactics. so to make a statement that we can guarantee a system as secure, quite frankly, is a little bit folly. we are doing everything we can to make sure that our systems are secure. we have not had a breach of our internal systems, although we have had data loss. and to put -- to try to come up with a dollar amount that would guarantee that something will not occur, i think, at that point i would think that we're probably not going to end up being secure. >> it's, and my time is expiring, and i appreciate the patience. i -- anywhere else in the world in the private sector at least somebody says we really screwed up here. at least someone says, boy, we missed -- you know, they take accountability for it. my technology staff took it
8:27 am
personally when someone tried, when you had people trying to hack. how we secured it. it was the game. it was their life. and the fact that folks can sit here and say, well, basically, stuff happens. but we're going to talk about people's information from the department of education or the irs, it's not just stuff happens, it's their life. it's their tax return. it's their personal information used to get credit elsewhere. this is not minor stuff. and i don't want see the perspective of concern -- and i don't see the perspective of concern that, well, we'll do the best we can. if it's wrong, we may notify, we may not think it's our problem, it's the irs' problem. again, it's they went that way. i'll join mr. connolly and others in finding a why to hold folks accountable because we can't have this kind of data leaking out, people taking it and using it for adverse purposes. you should be ashamed. i yield back. thank you. >> the gentleman's time has
8:28 am
expired. ms. maloney, you're recognized for five minutes. >> thank you, lady chair. we need to do everything we can to prevent cyber attacks from occurring, but when they do occur, it's critical that we take them seriously and also learn from them. in 2015 criminal elements attacked the irs and its get transcription application, the tool that allows taxpayers to obtain copies of prior tax returns using a collection of personal information. and organized crime syndicate assessed this application using stolen personal information of individuals and obtained tax data for a staggering 300,000 individuals. is that correct? mr. corbin? >> that is correct, congressman. >> and since that incident, the irs has been working diligently to increase the security of its systems.
8:29 am
in january 2016 a result of cybersecurity improvements, the irs stopped an attempt to acquire the e-filing pin number of taxpayerings. mr. corbin and -- taxpayers. mr. corbin and ms. garza, is that correct, and you describe what the improvements were that were able for you to stop this ore attempt? many -- >> so, congresswoman, for get transcripts, we took that application down and did an assessment level of risk, and we put in place what we call secure access authentication. it was a higher level of authentication that requires id proofing, financial verification and then an activation code in order to be able to get access to your transcript. we continue to take the dollars that were provided by congress, the $290 million, to invest in
8:30 am
additional cyber tools that allowed us in this case to be able to detect when there was activity occurring on tools that we have outside the irs network. for the e-file pinker congresswoman, we looked at that and again identified that that would be a vulnerability. the e-file pin application is not back up. we eliminated the e-file pin application and now require agi or the self-select pin which taxpayers have. >> okay. after the 2015 incident, you did a reassessment of the curt of all of your -- security of all of your online applications including the data retrieval tool. and as you stated in your testimony, that assessment -- and i'm quoting from your testimony -- indicated the need for strengthened procedures and led to collaboration with the board of education to best implement those procedures.
8:31 am
now, is that correct? >> that is correct. >> okay. now i want to turn to the 2017 data retrieval tool incident where criminals were able to use personal information gathered elsewhere to create student aid accounts on the the president of education's web sites -- on the department of education's web sites and obtain individuals' sensitive tax information. because the irs has improved its ability to detect fraud
8:32 am
before processing return. this approval detection ability is illustrated by the fact automatic security filters were able to stop almost 65% of potentially fraudulent refunds from being issued and the data retrieval tool incident, is that correct? >> that is correct. >> we can't stop all cyber attacks. that's just the reality of the day but we can learn from them. so i think you've shown your ability to do that. you know, why would somebody want to file a fraudulent return? what was the purpose of it? >> congresswoman, most people file fraudulent returns without of obtaining a refund from that return. >> and are the successful? >> congresswoman, fraudsters are successful but we've gotten so
8:33 am
much better over the years. the irs has a public-private partnership called the security summit would work to protect tax ecosystem worked with state department of revenue come with software developers so that we can build a better system to help protect the tax ecosystem. as you did in this case with the data retrieval tool, we have new data elements or information that w we're using in our filte. they did allow us to stop 80% of the returns that were filed in this event that were either potentially fraudulent or before the refunds were able to be pa paid. >> thank you. my time is expired but hope we can continue to fund the i.t. improvements that the irs requests so we can continue going forward in being more effective and stopping fraud and helping taxpayers. thank you for your testimony today.
8:34 am
>> thank you ms. maloney. mr. grossman, you are the one we have been looking for. the last one. you are recognized for five minutes. >> a few questions. how long he'd been chief information officer over education? >> eleven months. >> since november of 2015 this committee has uncovered what we thought were significant shortcomings in your plans before you even there. as well as corruption of the former cio. aas a new, what concerns you the most and what were your first actions as cao to clean this up? >> i have five focus areas when it came to the department. one was on security, another was organizational health. so policy challenges, numerous things we need to improve. and i will say in the last 11 months we've made significant progress at the department in terms of implementing processes,
8:35 am
implementing policies, changing personnel. >> okay. last year you reported 192 incidents in your department. can you tell us what information leaked out of those, give us how many files and what they covered? >> i would have to get that information for you. i do have a list of the information but i want to verify. >> give me a broad, there must be some in your mind, what are some of things figured out there? >> typically solstice could be numbers in a burden from one eventual to another individual or wasn't encrypted spirit in information connected with social security numbers? >> i don't want, i want to verify. >> can't think of any example? >> not at this moment. >> okay. is this i guess we will call this oh cio 14 handbook? >> yes, sir.
8:36 am
>> do you know how recently this is updated? aye one of leave is the current one you give your employees. do you know how recently or how recent the most recent update was? >> there's a draft circling right now that is being updated. it has been updated and it is being -- >> do you know how old this is? >> several years. >> a little over six years now, okay. is that satisfactory? >> no, sir. >> could you give us a hard number as to when you feel you get something you available for your new employees? >> for 14? >> correct. >> the concurrent process within the department takes an amount of time so i can't comment on that but i will say that i have a solid draft that is going through concurrent footnote. >> can you give us a gas? a month, four months? a year? >> miters in the process is not
8:37 am
six months to a year to go through formal concurrent. >> how far argue to the process? >> we started last week. we started the actual process last week. >> so you begin something that could be a year before we get something that is more than six years old? >> i will expedite because i know it is critical to the department. >> is critical for the public. could you give us, when we talk about the files of the solstice could be number, can you tell us what else is in those files? >> i would have to look at specific fm. at this point, sometimes there spreadsheets that contain social security numbers. i would have to look to verify. >> okay. we will try mr. runcie. have they been breaches of -- >> not to my knowledge. no. there was i think about, might've been four years ago there was a time when the system was open for a few minutes and there were 6000 cases of information that was viewed that should not of been viewed but
8:38 am
that was the only systemic breach or exultation, not exultation but an incident that occurred. >> how long ago was that? >> it was a few years ago. i'm not exactly sure. >> you that nobody breach anything for the last four or five years, three or four years we'll say? >> there's been no material breach. this possibility there might've been in it in here or there in terms of student aid data but none to my knowledge. >> okay. they don't tell you? >> i would be informed if there was and i'm not aware of any. >> okay. i would yield of the remainder of my time. >> thank you very much. i'm ready to close. none of my colleagues on the democrat side, so i will make some very brief comments. i will, do not broach our
8:39 am
protocol, i will not ask questions, but i will let ms. garza come mr. corbin know that we will be asking you exactly how many fraudulent rets were filed as result of the breach, and when those people obtained that information. and we want an answer in what most of us would consider reasonable time. it has been extraordinarily difficult today to get any kind of specific answer out of any of you. i think mr. mitchell's comments about the scarecrow were entirely apt. you are blaming each other. the american people, frankly, are tired of this kind of display of incompetence again. you all cannot answer questions,
8:40 am
or will not answer questions, it's a little difficult to know. and let me tell you something. in my world, $30 million is a lot of money. a lot of money here and you all don't seem to take it seriously at all. that as a result of your not being able to take action when a breach is made and you're not following the law, to let congress know, it's even more troubling to me that you take so long to do anything. the comments about some document that is very important taking seven years to update. it's pure incompetence. and i would gather, i mean, i would venture to say that we might be able to get better people coming in to your agencies to do the work that needs to be done, regardless of
8:41 am
the pay, if they thought they could get something done. but they bureaucracies are so impossible to change. and i do want to note that both mr. great and mr. runcie came to the department -- mr. gray -- and all of you all, too, in the irs under the obama administration. our colleagues are going to raise cain with the existing departments. and make it appear as though this is the responsibility of the current administration. and i think it needs to be made abundantly clear that you all came in to these agencies under the previous administration. and have been kept on by the previous administration. we will also put into the record the expanded timeline in terms of when these problems began
8:42 am
occurring, and point out where we possibly can be in action of the people are supposed to be working for the american people and keeping their data confidential. so i thank you all for being here today, and is hearing is dismissed. [inaudible conversations] [inaudible conversations]


info Stream Only

Uploaded by TV Archive on